The Office for Civil Rights (OCR) has once again penalized a covered entity for failing to comply with the requirements of the HIPAA Security Rule. On December 14, 2015, the OCR announced that the University of Washington, on behalf of the university’s affiliated covered entity UW Medicine, agreed to a settlement in the amount of $750,000 for alleged violations of the HIPAA Security Rule.
In November 2013, UW Medicine reported to the OCR a breach of electronic protected health information (ePHI) that affected approximately 90,000 individuals. The breach occurred when an employee downloaded an email attachment that contained malicious malware. The OCR investigated and determined that UW Medicine had failed to conduct an organization-wide risk analysis of its IT systems.
Specifically, the OCR determined that UW Medicine had security policies in place that required each of its affiliated medical clinics and hospitals to conduct a system-wide risk analysis, but UW Medicine did not ensure that each of these entities actually conducted this risk analysis. OCR director Jocelyn Samuels emphasized in the press release announcing the settlement that a risk analysis must be “comprehensive” across the organization’s IT systems, rather than limiting the risk analysis to a “specific system” like electronic medical records.
As part of the settlement, the University of Washington agreed to enter into a two-year Corrective Action Plan that requires it to:
- Develop a current and comprehensive risk analysis of the vulnerabilities to its ePHI;
- Provide the OCR with a Risk Management Plan after the OCR approves the risk analysis;
- Reorganize the UW Medicine compliance program to ensure compliance with the HIPAA Security Rule;
- Report any incidents of non-compliance; and
- Submit an annual report after each one-year period assessing its compliance under the Corrective Action Plan.
This settlement emphasizes that covered entities and business associates must ensure that they have conducted an organization-wide accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI held by the covered entity or business associate. The results of the risk analysis must be used to draft the remainder of the organization’s HIPAA Security Rule policies and procedures. In addition, the risk analysis should be updated as new technologies and business operations are planned (e.g., change in ownership, turnover in key staff, and incorporation of new technologies).
The OCR has released a few pieces of guidance which serve to provide insight into how the government expects covered entities and business associates to conduct a risk analysis. For example, see the OCR’s Guidance on Risk Analysis Requirements under the HIPAA Security Rule. In addition, the Office of the National Coordinator (ONC) for Health Information Technology has developed a security risk analysis tool in collaboration with the OCR. Organizations should ensure their risk analysis meets the government’s expectations under these pieces of guidance. This is especially important since the OCR is expected to be looking for completed risk analyses in the upcoming Phase Two HIPAA Audits.